Fetchmail using Windstream Secure POP Email
For some known reasons, Fetchmail does not pull an optional central authority's issuer's SSL certificates, requiring manually downloading the issuer's certficates.
The following will aide further configuring Fetchamil for communiating via POP3 SSL. For Fetchmail to currently work with POP3 Windstream.net SSL Email, Fetchamil requires two Sertigo certificates, "SectigoRSAOrganizationValidationSecureServerCA.crt" and "Sectigo SHA-2 Root USERTrust RSA Certification Authority.crt", downloaded and rehashed.
DOMAIN: POP.WINDSTREAM.NET
PROTOCOL: POP3
PORT: 995
$ mkdir $HOME/.fetchmail/ssl
$ cd $HOME/.fetchmail/ssl
Manually download two certificates from sectigo.com
"SectigoRSAOrganizationValidationSecureServerCA.crt"
"Sectigo SHA-2 Root USERTrust RSA Certification Authority.crt"
NOTE: If the certificate issuing authority changes, see below TIPS section for finding the new or changed issuing certificate authority including URLs for downloading.
SSL requires a hashed file name instead of given file name, create symlinks to given file names.
$ openssl rehash .
file: $HOME/.fetchmailrc
poll pop.windstream.net
proto pop3
service 995
user some_user_name
password some_user_password
options ssl
options sslcertpath
If the above $HOME/.fetchmailrc file fails, can fallback to the following settings:
file: $HOME/.fetchmailrc
poll pop.windstream.net
proto pop3
service 995
user some_user_name
password some_user_password
options ssl sslcertck
options sslfingerprint "your_servers_fingerprint"
Obtain a sslfingerprint via instructions elsewhere.
TIPS
Windstream.net only prints/pushes the issuer certificate every so many minutes. So the following will only print Windstream.net's certificate, printing Sertigo's certificate every so many minutes. (ie. Will usually only see one certificate being windstream.net's, while the second, being sertigo.com, every so many minutes.)
$ echo | openssl s_client -CApath $HOME/.fetchmail/ssl -showcerts -servername windstream.net -connect pop.windstream.net:995
Download Sertigo RSA certifcate from windstream.net
This will download windstream.net's certificate, see tip above, and print the URI/URL of the second certificate download URL.
$ echo | openssl s_client -connect pop.windstream.net:995 -showcerts 2>/dev/null | sed -ne '/BEGIN CERT/,/END CERT/p' > /tmp/windstream.cert
$ openssl x509 -text -noout -in /tmp/windstream.cert |grep URI
$ wget (Copy or paste "URI" or "CA Issuers - URI:" contents)